Security and trust
Security and data handling for lunao agents.
lunao is built around practical transparency: what data the agent uses, how visitor conversations are handled, where handoff data goes, and which certifications are not claimed.
This page is a product security overview, not a legal certification statement.
What buyers can verify
Sources, limits, and next steps stay visible.
Know what enters the system.
Clear public copy with current and planned boundaries.
Sensitive credentials should stay server-side.
Clear public copy with current and planned boundaries.
No fake compliance badges.
Clear public copy with current and planned boundaries.
Data categories
Know what enters the system.
Website content
Public pages, policies, product pages, FAQs, and approved knowledge sources.
Product discovery data
Public product titles, URLs, descriptions, images, categories, and metadata when discoverable.
Conversation data
Visitor messages, agent responses, source context, and handoff notes.
Voice session data
Browser voice session data when voice is configured and microphone access is granted.
Handoff data
Transcript, summary, source context, risk reason, and visitor-provided details.
Billing data
Subscription and payment metadata handled through the billing provider when configured.
Server-side handling
Sensitive credentials should stay server-side.
Server-side model calls
AI provider keys should not be exposed directly in the browser.
Voice session credentials
Realtime browser voice should use session-specific credentials where configured.
Supabase access
Database service-role behavior should remain server-side and permissioned.
Widget configuration
The public widget should load only what the visitor experience needs.
What lunao does not claim
No fake compliance badges.
No SOC 2 claim
Do not claim SOC 2 unless certification is completed and documented.
No HIPAA claim
No HIPAA compliance should be claimed without formal controls and agreements.
No guaranteed accuracy
Source-backed answering improves control but does not guarantee correctness.
No universal compliance
Privacy-oriented defaults and templates still require review.
FAQ
Common questions.
Does lunao claim SOC 2 certification?
No. Do not claim SOC 2 unless certification is completed and documented.
Is lunao HIPAA compliant?
No HIPAA compliance should be claimed unless a formal compliance program is completed.
Does lunao train public models on customer data?
Website copy should say customer data is intended to operate the agent experience, not make unsupported model-training claims.
Can I control what content the agent uses?
Yes. Source review is central to lunao's setup.
Trust comes from clear boundaries.
Review how lunao handles sources, conversations, handoff, and AI disclosure before publishing your website agent.